Ivanti EPM Auth Bypass Now Under Active Exploitation, CISA Warns

CISA added CVE-2026-1603 to its Known Exploited Vulnerabilities catalog on March 9, confirming that attackers are actively exploiting an authentication bypass in Ivanti Endpoint Manager to steal credential data from enterprise systems.

TL;DR

• What happened: Auth bypass in Ivanti EPM lets attackers steal credentials without logging in
• Who's affected: All Ivanti Endpoint Manager versions before 2024 SU5
• Severity: CVSS 8.6 (High)
• Action required: Patch to EPM 2024 SU5 by March 23, 2026 (federal deadline)

How the Attack Works

The vulnerability is deceptively simple. By sending an HTTP request containing a specific "magic number" value (the integer 64), an attacker can bypass authentication and directly access protected EPM endpoints. No valid credentials required.

Once past the authentication check, attackers can pull encrypted credential blobs from the EPM Credential Vault. This vault typically stores high-privilege accounts including:

• Domain Administrator password hashes
• Service account credentials used by the management system
• API keys for integrated services
• Local admin passwords for managed endpoints

Horizon3.ai, which published technical details on the vulnerability, demonstrated how attackers can compromise entire domain environments starting from a single unauthenticated request.

Exploitation Timeline

Ivanti disclosed and patched CVE-2026-1603 in February 2026 with the EPM 2024 SU5 release. CISA's March 9 addition to the KEV catalog signals that attackers wasted no time weaponizing the flaw.

Federal Civilian Executive Branch agencies now have until March 23, 2026 to apply patches under Binding Operational Directive 22-01. Private organizations should treat this deadline as their own benchmark.

Field Effect security researchers confirmed active exploitation attempts targeting internet-facing EPM installations. Attackers appear to be scanning for vulnerable instances and attempting credential extraction.

Ivanti's Troubled Security History

This marks another chapter in Ivanti's ongoing security challenges. The company's products have appeared in CISA's KEV catalog multiple times over the past year, including vulnerabilities in Ivanti Connect Secure, Policy Secure, and Neurons for ZTA.

The pattern is concerning for organizations relying on Ivanti for endpoint and access management. Each vulnerability disclosure followed by active exploitation suggests threat actors are closely monitoring Ivanti's security advisories.

Previous Ivanti vulnerabilities have been exploited by sophisticated actors including state-sponsored groups deploying persistent backdoors. Organizations should assume CVE-2026-1603 exploitation attempts are similarly capable.

What Attackers Gain

The credential vault access is particularly damaging because endpoint management systems typically hold keys to the kingdom. EPM deployments often include:

Domain Admin Credentials: Used for pushing software, running remote scripts, and managing Windows systems across the enterprise

Service Accounts: Automated accounts with elevated privileges for patch management, software deployment, and system monitoring

Local Admin Passwords: LAPS (Local Administrator Password Solution) or similar credentials for every managed endpoint

An attacker extracting these credentials gains immediate paths to lateral movement, privilege escalation, and potentially complete domain compromise.

Recommended Mitigations

Organizations running Ivanti Endpoint Manager should take immediate action:

1. Patch to EPM 2024 SU5 - This is the only complete remediation
2. Restrict network access - EPM consoles should never be internet-facing
3. Audit credential vault contents - Identify which accounts would be exposed
4. Rotate stored credentials - Assume compromise if patching was delayed
5. Monitor for unusual authentication - Watch for service account logins from unexpected sources

Why This Matters

Endpoint management platforms are high-value targets precisely because they centralize administrative access. Compromising EPM doesn't just give attackers one system, it hands them the credentials to manage every endpoint in the deployment.

The "magic number" bypass is also worth noting. This type of vulnerability, where a specific parameter value bypasses security checks, often indicates a debugging backdoor or testing feature that made it into production code. Similar patterns appear in other authentication bypass vulnerabilities we've analyzed.

For organizations evaluating their Ivanti deployments, this vulnerability should prompt a broader conversation about attack surface reduction. Does EPM need internet exposure? Are stored credentials properly segmented? What's the incident response plan if credential theft is detected?

FAQ

How do I know if my EPM instance was targeted?

Check web server logs for unusual requests to credential-related endpoints. The attack uses specific parameter patterns that leave traces. Ivanti has published indicators of compromise in their advisory.

Is the credential data encrypted?

Yes, but the encryption doesn't prevent lateral attacks. Attackers can often crack the encryption offline or use the hashes directly for pass-the-hash attacks against Windows systems.